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DETAILED ACTION 



1 . Claim 1 -1 5 are pending in this office action. 



Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1 . 1 1 4, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on January 
23, 2006, has been entered. 

Claim Rejections 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 



Claim Rejections - 35 USC § 102 

4. Claims 1-15 are rejected under 35 U.S.C. 102(e) as being anticipated by Vaidya 
(U.S. Patent No. 6,279,113). 



Regarding claim 1 . Vaidva teaches a node of a network maintaining an instance 
of an intrusion prevention system, comprising: 
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• A memory module for storing data in a machine-readable format for retrieval and 
execution by a central processing unit (fig. 2, ref. num 39); and 

• An operating system comprising 

o A network stack comprising a protocol driver, a media access control 
driver and an instance of the intrusion prevention system implemented as 
an intermediate driver and bound to the protocol driver and the media 
access control driver (col. 7, lines 18-24), 

• The intrusion prevention system comprising an associative process engine and 
an input/output control layer (fig. 2, ref. num 1 0), 

o The input/output control layer operable to receive at least one of a plurality 
of machine-readable network-exploit signatures from a database and 
provide the at least one machine-readable network-exploit signature to the 
associated process engine (fig. 3, ref. num 58), 

o The associated process engine operable to compare a packet with the at 
least one machine-readable network-exploit signature and determine a 
correspondence between the packet and the at least one machine- 
readable network-exploit signature (fig. 3, ref. num 64). 

Regarding claim 2 . Vaidya teaches wherein the database is maintained in a 
storage device of the node (fig. 2, ref. num 26). 
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Regarding claim 3 , Vaidva teaches wherein each of the plurality of machine- 
readable network-exploit signatures comprise a respective directive that defines 
instructions to be executed upon determination of a correspondence between the 
packet and the respective exploit signature (col. 6, lines 1-11). 

Regarding claims 4 and 5 . Vaidva teaches wherein, upon determination of a 
correspondence between the packet and two or more of the plurality of machine- 
readable network-exploit signatures, [each of the directives/an alternative directive] of 
the two or more machine-readable network-exploit signatures are executed by the 
intrusion prevention system (col. 7, lines 41-45 and lines 62-67). 

Regarding claim 6 . Vaidva teaches a method of analyzing a packet at a node of a 
network by an intrusion prevention system executed by the node (fig. 3), comprising: 

• Reading the packet by the intrusion prevention system (fig. 3, ref. num 58); 

• Comparing the packet with a plurality of machine-readable network-exploit 
signatures (fig. 3, ref. num 64); and 

• Determining a correspondence between the packet and at least two of the 
plurality of machine-readable network-exploit signatures (fig. 3, ref. num 64 and 
col. 7, lines 12-24). 
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Regarding claim 7 . Vaidva teaches further comprising generating a record of the 
at least two of the plurality of machine-readable network-exploit signatures with which a 
correspondence with the packet is made (col. 7, lines 32-34). 

Regarding claim 8 . Vaidva teaches further comprising transmitting the record to a 
management node connected to the network (col. 6, lines 21-24). 

Regarding claim 9 . Vaidva teaches further comprising logging the record in a 
database (col. 5, lines 47-51 ). 

Regarding claims 10-12 . Vaidva teaches further comprising executing, by the 
intrusion protection system, a [respective/at least one/an alternative] directive of each of 
the at least two machine-readable signatures determined to correspond with the packet 
(col. 7, lines 41-45). 

Regarding claim 13 , Vaidva teaches a computer-readable medium having stored 
thereon a set of instructions to be executed, the set of instructions, when executed by a 
processor, cause the processor to perform a computer method of: 

• Comparing a packet with a plurality of machine-readable network-exploit 

signatures (fig. 3, ref. num 64); 
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• Determining a correspondence between the packet and at least two of the 
plurality of machine-readable network-exploit signatures (fig. 3, ref. num 64 and 
col. 7, lines 12-24); and 

• Generating a record of the at least two signatures with which the 
correspondence is made (col. 7, lines 32-35). 

Regarding claim 14 . Vaidva teaches further comprising a set of instructions that 
cause, when executed by the processor, the processor to perform a computer method 

of: 

• Determining a correspondence between the packet and a subset of the plurality 
of machine-readable network-exploit signatures, each machine-readable 
network-exploit signature comprising a directive (fig. 3, ref. num 64 and col. 7, 
lines 12-24 and col. 7, lines 51-62); and 

• Executing, by the processor, each directive of the record of machine-readable 
signatures (col. 7, lines 62-67). 

Regarding claim 15 . Vaidva teaches further comprising a set of instructions that 
cause, when executed by the processor, the processor to perform a computer method 
of executing a directive dependent on the corresponding machine-readable network- 
exploit signatures (col. 7, lines 41-45). 
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Response to Arguments 

5. Applicant argues: 

a. Independent claim 1 is not taught by the references to include a network 
stack that includes an instance of the intrusion prevention system implemented 
as an intermediate driver (page 5, last paragraph through page 6). 

b. Independent claims 6 and 1 3 are not taught by the references to include 
determining a correspondence between a packet and at least two of the plurality 
of machine-readable network-exploit signatures (page 7 through page 9). 

Regarding argument (a), examiner disagrees with applicant. Column 7, lines 1 8- 
24 of Vaidya teach a data packet that includes an IP header, MAC header information. 
The passage continues by saying that extracting the above data helps detect network 
intrusions. The IP header is a protocol; the MAC header information is the media 
access control; the extraction of both enable the detection of network intrusions, which 
constitutes the instance of the IPS as an intermediate. 

Regarding argument (b), examiner disagrees with applicant. Claim 13 added this 
limitation in the amendment, and is therefore moot. As for claim 6, column 7, lines 12- 
24 (more specifically line 17), that signature profiles are extracted. Profiles mean two or 
more, which reads on the claimed limitation. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Brandon Hoffman whose telephone number is 571-272- 
3863. The examiner can normally be reached on M-F 8:30 - 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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